New Android malware can capture private messages, researchers warn

Security researchers have uncovered a new Android banking trojan capable of intercepting messages from apps including WhatsApp, Telegram and Signal after they have been decrypted.

Dutch cybersecurity firm ThreatFabric said on Thursday it had identified the malware, dubbed Sturnus, which can steal banking credentials using highly convincing fake login screens and give attackers near-total remote control of infected devices.

Once installed, Sturnus can monitor everything displayed on a phone in real time — including contacts, full message threads and the content of encrypted chats — by accessing data after it has been decrypted by legitimate apps. It can also inject text, observe user activity, and execute transactions while displaying a black, full-screen overlay that hides the operation from the victim.

ThreatFabric said the malware appears to be in development or limited testing, but is already configured with templates targeting banks across Southern and Central Europe, suggesting preparations for a wider campaign.

While the malware is likely in its pre-deployment state, researchers said, it is also fully functional and in some aspects more advanced than established malware families.

“Although the spread remains limited at this stage, the combination of targeted geography and high-value application focus implies that the attackers are refining their tooling ahead of broader or more coordinated operations,” the company added.

Sturnus is part of a wave of newly emerging Android banking trojans. In October, researchers uncovered a separate strain, Herodotus, which mimics human behaviour to evade detection while remotely operating a device. Another trojan, Crocodilus, has been used to take full control of phones to steal funds from banking and online accounts.